Only 87 vulnerabilities patched in October...But what's the opportunity cost of patching...

Any IT professional involved in end-user computing or responsible for managing Windows environments and infrastructure will be more than aware of the importance of patching and very familiar with the term 'Patch Tuesday.'

This week Microsoft announced a 'lower than normal' 87 vulnerabilities across 12 of its products. Listing 12 of them as critical, the update contains important updates for Exchange Server, Office, .NET framework and more....

Of significant importance, is a critical update which impacts Windows 10 and Windows Server 2019. CVE-2020-16898 highlights a bug in the TCP/IP stack which could allow malicious code to take over an unpatched system. In addition, CVE-2020-16947 impacts Microsoft Outlook, potentially allowing an attacker to fool a user into opening a file which could be used in a malware or ransomware attack.

Why Patch?

In today's world, where millions of us are working from home, accessing business applications and data remotely, the need to keep our OS and applications patched and up to date becomes ever more critical. Not protected by our corporate firewalls, no longer sat inside our offices, remote working means our employees and the devices they use are arguably more vulnerable and require regular patching and updates.

The threat in 2020

In 2016 we all experienced the danger associated with unpatched systems when Wannacry attacked millions of endpoints. Today in 2020, ransomware still plagues our daily lives, the organisations we work for and the services we use. ZDNet reports that the UK NHS has experienced over 40K emails, all of which are regarded as spam and/or contain a form of a phishing attack in recent months - 21K of them malicious emails in March alone! Only this week, the G7 has raised the alarm that ransomware is on the increase and poses a real threat to economies all over the world. Garmin, Travel Ex and Canon are familiar names which have all experienced recent attacks. Even those organisations trying to develop COVID vaccines have come under attack. These threats, which can utilise vulnerabilities in our systems, require organisations to allocate an ongoing amount of time to patching.

So just patch it !!!????!!!!???

Several solutions in the market today offer detailed analysis tools and automated ways to deploy patches. Many of them simplify the process and remove the complexity of understanding which systems need which patch. 

It should be that these solutions solve our patching woes, but sadly, especially in the world of Windows 10, patching alone is not enough and continues to highlight an opportunity cost that I believe, should be well behind us. Patching remote machines is just not that easy.

Windows 10 Updates

Firstly, Windows 10 is now an operating system that requires constant 'love and attention.' Windows as a Service or the 6 monthly cadences of Windows means that not just patches need to be applied. The OS updates alone are large, and overtime loose official support. Compared to previous versions of Windows this change means endpoints need to be visible and managed more frequently than ever before. For the 20% of devices still on Windows 7 this adds to the complexity of the migration. 

Operational Cost

Secondly, the cost of patching remains high! I'm not talking about the price of a patching solution, (in fact they are typically not that expensive) - I am referring the operational cost. 

With every patch deployed, comes risk. A risk that something will break. An application that won't launch, an operating system or service that won't boot. Then you have the challenge of how you deploy that patch. Did it deploy? Did reach every employee home network? How big was the patch? When did it deploy and to how many? How long does the patch process take? Is the endpoint capable of installing the patch? How much downtime will the employee experience? If something does break, can you rollback? The list goes on.....

Opportunity Cost

IT budgets will continue to grow; not to support our existing systems but to help drive our businesses. Digital Transformation requires IT to do more than ever before. People, technology and time, are precious. 

Patching is no doubt an important task, but what is the opportunity cost of patching.....Just imagine what we could achieve if we didn't need to spend the time testing, deploying and worrying about what should be a simple task. Imagine a world of where you could patch centrally........keep reading....

Patching is about IT operations, not security.

It was about two weeks ago over a socially distanced beer and pizza with David Shepherd, (Global VP of Sales Engineering @ Ivanti), that he reminded me that patching was less about security and more about IT Operations. Since then, I have sat on a number of internal business reviews and had the pleasure of hosting several customer panels for our Digital Disrupt events. Endpoint Security continues to come into every conversation, but when you dig a little deeper, you find that the challenge many face is not one of security but of the operational work involved. 

Enter the world of modern management...

For those insistent on buying high cost, fast depreciating, expensive to support and difficult to update endpoints, or for those who panic purchased thousands of endpoints to enable to WFH, solutions from Microsoft, Vmware, Ivanti and others can certainly help patch and update endpoints, even those that sit within the home office. 

Microsoft's Intune and work on Endpoint Manager demonstrates how PC lifecycle management tools are being combined with modern device management. Thanks to the acquisition of Airwatch and other technologies, VMware's market-leading solution Workspace One continues to extend the ability to manage more than just Windows devices remotely. And with the recent news that Ivanti is due to acquire MobileIron, coupled with their existing well-known Landesk solutions, the Unified Endpoint Market market can certainly help overcome many of the challenges discussed.

But it's not all about new tech - Remember VDI and the promise of DaaS

VDI has been used to help organisations deploy applications and desktops through the use of virtualisation technologies from Citrix and VMware for over 20 years. Historically used for remote workers over low bandwidth connections or frequently deployed to help with business acquisitions and mergers, desktop virtualisation has been a steady but stable technology choice for some organisations and use cases.

However, with the recent rise in WFH, the need to rapidly deploy and support desktops and applications to a remote workforce has become business-critical. VDI and DaaS have proven themselves during the pandemic for many organisations. 

VDI / DaaS - reducing the operational cost of Patching

But this virtualised and centralised desktop platform doesn't just help with remote work, it significantly reduces IT operational cost required to patch and update Windows desktops. Hosting Windows in the datacentre means you no longer need to worry about the delivery of the patch, the size, its impact on the applications, the user or the endpoint. Everything is done once, centrally and in a controlled manner. When ready, it is simply activated, ready for the next employee to connect. 

Customers who use VDI and DaaS don't spend hours worrying about patching. They utilise technologies like Machine creation services and single image management to test and deploy once and yet at scale. They don't worry about the next Windows update, nor are they bothered whether an employee is sat in the office or working from home. Many of our customers will also tell you they don't worry about the endpoint....

In a world of VDI and DaaS - The employee still needs a device? Surely that still needs to be managed?

The answer is, of course, yes, but don't call me Shirley :) ...People need an edge device, but in the world of VDI/DaaS, that edge device doesn't need to place a burden on IT operations......That device could run a Linux OS - easily managed, more secure and more cost-effective - but that is another story - one that can be found here - https://www.igel.com/company/our-story/ -

For now though, when you read of the next ransomware attack or see the next patch Tuesday update, take time to consider whether the attack utilised a known vulnerability, whether that vulnerability could have been patched and how much secure and operationally efficient it could have been if the employee was instead utilising a virtualised desktop, accessed from a Linux endpoint....

What else could your IT operations staff be doing for your company?

Simon